QR Code Scammers Get Creative with Bitcoin ATMs

Threat actors are targeting everyone from job hunters to Bitcoin traders to college students wanting a break on their student loans, by exploiting the popular technology’s trust relationship with users.

With the use of QR codes rising, so, too, are the numbers of scams that aim to take advantage of them. Researchers warned that threat actors are going so far as to send potential victims to gas stations to use Bitcoin ATMs in their endeavors to exploit the technology.

The Better Business Bureau (BBB) also warned recently that consumers should watch out for a growing list of scams using QR codes — which are appearing everywhere these days as a simple and contactless way to share information.

QR codes are the square, scannable codes familiar from applications like touchless menus at restaurants, and have gained in popularity over the pandemic as contactless interactions have become the norm. Simply navigating a smartphone camera over the image allows the device’s QR translator – built into most mobile phones – to “read” the code and open a corresponding website.Infosec Insiders Newsletter

This simplicity of use is exactly what makes them so attractive for scammers; the very nature of the technology has already set up a trust relationship with its user, researchers from Malwarebytes Labs pointed out. Most of these scams begin with someone receiving an email, a direct message on social media, a text message, a flyer or a piece of mail that includes a QR code, and proceed from there. Once the person scans the code with their mobile device, they’re taken to a malicious website.

“The problem with QR codes stems from how easy they are to use,” they wrote in a report published Tuesday about the growing number of QR code scams. “Point your smartphone’s camera at a QR code and your phone will happily read it, convert it to a URL, and then open the URL in your browser. Very trusting.”

Scams Run the Gamut

The BBB in its advisory, posted late last month, outlined a range of different potential QR code scams for which people should be on the lookout. If someone takes the bait and scans the code, in some cases the QR code will take them to a phishing website and prompt them to enter personal info or login credentials. In other cases, the codes are used to to automatically launch payment apps or follow a malicious social-media account, and the scammer will take advantage of the unsuspecting victim in these scenarios.

While the scams reported to the BBB — which keeps a running list via a Scam Tracker posted online for consumer awareness — “differ greatly,” they are dependent on the potential victim scanning the QR code quickly, without thinking too much about it, the bureau said. This way, a person lacks the time to identify a scam that with some examination would appear suspect.

Bitcoin ATM Fraud

Researchers from Malwarebytes analyzed a few of the campaigns, noting a somewhat bizarre trend among scammers to send potential victims to gas stations to use Bitcoin ATMs. The threat actors use the victims as “money mules” to launder “dubious funds by breaking the link between the sender and the recipient, thanks to the gas station ATM,” they wrote.

Researchers describe one such attack that they found “shocking,” involving someone seeking a virtual job at a new organization who uploaded a resume to a job-hunt website.

“The entire job interview was performed using the secure messaging app Telegram, which is somewhat unusual,” they described in the post. “They sent their supposed new employers a copy of their driving license and other personal information.”

The victim was then sent $5,000 to ‘purchase equipment’ for their job, and instructed to send most of the funds back to the “software vendor’s” Bitcoin address via a gas station ATM, researchers wrote.

The victim received the “cold shoulder” from the people who had arranged the deal, soon after the transfer was made. Though no one was cheated out of any money in the scam, the victim “did lose an awful lot of time, and experienced what must have been a lot of stress,” Malwarebytes researchers noted.

How to Avoid QR Code Scams

Both the BBB and Malwarebytes offered some practical advice for avoiding falling victim to one of the new and creative QR-code scams that are cropping up.

Both advised that people ensure QR codes that they encounter in public haven’t been tampered with, such as someone placing a sticker with a QR code over the original one.

Acknowledging that  “QR codes in correspondence can be trickier,” Malwarebytes recommends that people keep in mind that the codes are easy to create and are “no more trustworthy than any other word or web address.”

“When dealing with codes from businesses you’ve dealt with, try to confirm the code is genuine,” researchers advised. ” If the code opens a website asking for login details, confirm that it’s the company’s legitimate address.”

Overall, if someone is asked to login to something via a QR, it’s always “risky behavior,” so he or she likely shouldn’t comply whether a code is real or not, they added.

The BBB added that people should be wary of encountering short links once a code is scanned, which don’t provide information as to where the link is directing someone and are likely a malicious URL.

The bureau also recommended that people consider using QR-scanner apps provided by antivirus companies to help them check the safety of a scanned link before opening it to avoid phishing scams or unauthorized app downloads.

Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.

Suggested articles